The average company devotes 16 percent of its IT budget to cybersecurity, mostly consisting of technologies and tools such as firewalls, antivirus software, and other programs designed to repel attackers. But attackers increasingly target the people within the organization, searching for human vulnerabilities. Ignoring the role your employees play in your cybersecurity risks can be extremely costly and dangerous.
Let’s take a closer look at why employees are your top line of defense and how you can properly train them with a well-planned cybersecurity awareness training program.
Why cybersecurity awareness training is important
If an attacker can get an employee’s username or password to just one system or application (even a personal one such as their Netflix account), confidential company data may be at risk. Why? Well, many people still use the same credentials for most or all of their systems, and if your employees aren’t aware of the importance of password security, they may be doing the same thing. All it takes is one phishing email or one clever phone call to trick an employee into handing over the keys to the kingdom. A tool can’t protect you against this type of attack.
Statistics prove just how widespread the human vulnerability problem is. The 2020 Data Breach Investigations Report found the following:
- 22 percent of breaches were caused by social engineering scams, including phishing emails and financial pretexting (in which attackers contact people via phone and email and try to trick people into revealing sensitive financial information).
- An additional 22 percent of data breaches were caused by simple human error, such as sending an email to the wrong person or sharing information with an unauthorized individual.
- Four percent of data breaches were caused by physical actions, such as document or device theft.
- Eight percent of breaches were caused by employee misuse of information.
In our work with clients over the years, we have seen a pattern emerge when it comes to cybersecurity awareness training for employees. The majority of companies tend to take two approaches to dealing with the human side of cybersecurity:
- IT often wants to buy a tool to prevent employees from doing something that may cause a breach (such as clicking on a phishing email). They may even send out fake phishing emails to see which employees click on it. Those who show themselves to be susceptible may be sent for training, which is often viewed as a punishment for making a mistake. Some companies even write up or terminate employees who fail phishing tests.
- The company conducts a yearly cybersecurity training program. The material is often the same year after year, with the same generic guidance provided for each employee.
Unfortunately, neither of the above approaches is effective at creating the human firewall needed to protect your organization from attack. At the end of the day, your employees are the ones with the passwords; they are the ones with access to systems and information; they are the ones carrying out actions each day. Yet there is not enough emphasis on cybersecurity training for employees.
Yes, no matter how much training you provide for your employees, they will never be perfect, but neither are tools. And you can get a bigger bang for your buck from the money you invest in cybersecurity awareness training. It is less expensive than tools, and when you teach people how to protect themselves and the business, the resulting decrease in attacks can save your business vast amounts of money.
We have a list of 8 cybersecurity awareness best practices to help organizations implement an effective cybersecurity training program.
8 tips for a successful cybersecurity awareness program
1. Don’t “set it and forget it”A successful cybersecurity training program requires a constant and consistent approach. Repetition of major threats and how to address them is critical. Organizations should create as many touch points as possible, leveraging multiple ways to reach employees.
2. Conduct educational and informational sessionsWe recommend holding at least two sessions per year on a company-wide basis. The topics covered should change in order to address new threats and to keep people interested. Topic ideas include phishing emails, malware, password security, social media threats, and internet safety.
As new issues emerge, it’s important to respond quickly. For example, as COVID-19 has forced many companies into a long-term remote work environment, proper training for secure remote work is an absolute must.
3. Make it engagingCybersecurity awareness training doesn’t have to be boring. Conduct contests to see who can successfully identify a phishing email, and reward employees with a gift card. Use online games to teach employees about cybersecurity threats in a fun, interactive way.
Organizations can also make use of simulation exercises to assess how well everyone within the organization responds to an attack. The results can be used to shape future training sessions.
4. Provide role-based trainingYour accounting team doesn’t need the same type of training as your customer service staff or the CEO. Some people have access to more sensitive information, so they require a higher level of training. Specific roles within the organization can benefit from cybersecurity training that is custom-tailored to attacks meant for job functions that have elevated access and the greater risk that comes along with it.
5. Train employees from day oneCybersecurity awareness training should be part of the onboarding process for new employees. This approach serves two purposes:
- It shows just how important cybersecurity is to the organization as a whole.
- It creates the appropriate mindset and habits in employees immediately, creating a stronger human defense system.
A virtual Chief Information Security Officer (vCISO) can help organizations identify the appropriate goals and training program. Each company is unique, so training needs to be geared towards the biggest threats to your business. A one-size-fits-all approach won’t yield the results you want.
7. Demonstrate commitmentAll too often we come across companies in which the CEO didn’t participate in the cybersecurity training provided. If the CEO doesn’t think security is important, why should anyone else? What’s even more alarming here is that the CEO is often the biggest target, making training even more critical for this role.
No matter how much any one individual thinks they know about cybersecurity, it requires more than intelligence to prevent attacks. Everyone needs to have the proper education, awareness, and mindset in order to protect the business.
8. Measure successAs with your technological approach to cybersecurity, organizations should gather metrics to see how training is performing over time. Gather data on the frequency of incidents prior to the onset of training, so you can see how they decrease over time. Data pertaining to the percentage of phishing emails reported and the amount of money spent on remediation can also help demonstrate how well your cybersecurity awareness program is working.
While tools and technology are a critical part of any cybersecurity strategy, we always recommend our clients devote just as much attention to the people. A strong human firewall is not only less expensive to build, but it also has a bigger ROI when it comes to preventing and defending against attacks.
